[
https://issues.apache.org/struts/browse/WW-2949?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=45453#action_45453
]
Dave Newton commented on WW-2949:
---------------------------------
Keeping it in session is server-side, and a well-known mechanism.
I guess I'd need to see a use-case, or an example of what you'd want this to
look like. Once the form is rendered the action that rendered it is
gone--without thinking about it in depth it seems like any solution would use
one of the existing mechanisms for keeping the data anyway, so I'm not really
sure what you're proposing.
> Passing paremeter value from Action to Action requires a security
> vulnerability
> -------------------------------------------------------------------------------
>
> Key: WW-2949
> URL: https://issues.apache.org/struts/browse/WW-2949
> Project: Struts 2
> Issue Type: Improvement
> Components: Core Actions
> Affects Versions: 2.1.6
> Environment: All
> Reporter: Lee Clemens
> Priority: Minor
>
> To pass parameter value from Action->form->Action, need to use URL parameter
> or <s:hidden>
> URL can be manipulated manually and hidden form field can be altered via
> Firefox plugin, etc
> This presents a security issue, since the form's hidden attribute can be
> manipulated via a Firefox plugin, etc and the URL can be altered directly
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
